Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Administration

Crypto Services

search
printsuggest an edit

Crypto Services

CCC provides you with the ability to manage individual partitions within a Luna Network HSM or a set of partitions across multiple Luna Network HSMs. These managed partitions are referred to as services. Ownership of each service is exclusively tied to the organization to which it is allocated. Each service is configured with specific parameters tailored to facilitate cryptographic operations, aligned with the unique requirements of the organization. Authorization to deploy and utilize the service for cryptographic purposes is limited to members of the respective organization. To efficiently manage these services, you can use the Crypto Services tab of CCC, offering the following functionalities:


note

Note

Before CCC can create or manage services on a Luna Network HSM device, it needs authorization to access the device as the Security Officer (SO).


copy link to clipboardCreate, modify, and remove services

Below are the procedures for creating, modifying, and removing services on CCC.


copy link to clipboardCreate a service

To create a service:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Services. This action will bring up a page displaying basic details of all existing services.

3At the top right corner of the page, you'll find a Create Service button. Click on it to start the process of creating a new service.

4In the subsequent Create Service wizard, fill in the required details:


Parameter Description
Service Name Enter a name for the service you wish to create. This name helps in identifying and distinguishing the service, making it easier to manage and reference.
Description Optionally, provide a brief overview of the service. This can offer valuable context for users or administrators managing the service.
Choose Template Select the template that best matches the type of service you intend to create. Templates provide predefined configurations tailored to specific service types.
Add Devices Select the required device(s) for the service from the list of authorized devices. Only devices that meet the service template's specifications will be available for selection. For High Availability (HA) configurations, you must select multiple devices. Ensure that all selected devices have the same firmware version, as only devices with matching firmware can be used to form an HA group.
Name Partition Assign a name to the partition(s) within the service. Naming partitions helps with easy identification and management within your HA group, especially when devices with varied performance levels are involved. Ensure the name reflects the partition's purpose or function for better organization and maintenance.
Assign Organization Choose the organization that will own and manage the service. This ensures the service is utilized only by the designated organization.
Summary Review the provided information for accuracy. If needed, click Go Back to make adjustments. Otherwise, click Finish to complete the service creation process.

5A pop-up window will confirm the service's creation and the reservation of necessary resources. Click the Initialize Now button located at the bottom of the pop-up window to commence the process of enabling the service.

note

Note

You have the option to initialize a service immediately upon creation or leave it uninitialized until deployment. Uninitialized services can be initialized by the CCC Administrator or an Application Owner.

6In the Initialize Service window that appears, enter the desired Cloning Domain and Partition Label. In case of PED authenticated services, enter the IP address of the remote PED server.

7Create passwords for the Security Officer and Crypto Officer. If required, also create a password for the Crypto User.

8Click Finish to complete the process of service initialization. You are now ready to start using the service.


copy link to clipboardModify a service

To modify a service:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Services. This action will bring up a page displaying basic details of all existing services.

3Click on the service that requires modification. This action will reveal the service-related details located towards the bottom of the page.

4To view and make changes to the details associated with the service, navigate to the relevant tab.


Tab Description
General Displays key details about the service, including:
- Service Name: Name assigned to the service.
- Description: Brief summary of the service’s function.
- HA Group Label: Identifies the High Availability (HA) group if applicable.
- Owner Organization: Specifies the managing organization.
- Service Creation Details: Shows who created the service and when.
Capabilities Provides information on service features and specifications:
- Service Type: Defines the type of service.
- Host Device Type: Specifies the device hosting the service.
- Partition Size: Displays allocated partition size (in bytes).
- Per Partition SO Status: Indicates if Security Officer (SO) functionality is enabled for each partition.
- Scalable Key Storage Status: Shows whether scalable key storage is enabled for efficient key management.
- Device Capabilities: Lists the hosting device’s features, including performance, authentication, and backup support.
Partitions Displays details about the partitions within the service:
- Status: Indicates the current partition status.
- Name: Unique identifier assigned to the partition.
- Label: Descriptive label associated with the partition.
- Serial Number: Unique serial number of the partition.
- Associated Device Name: Name of the device linked to the partition.
- Appliance Version: Version of the appliance software running on the device.
- Device Firmware Version: Firmware version of the device hosting the partition.

Add Partitions: Click Add Partitions to create a new partition. In the Add Partitions window, select a Luna Network HSM device, click Next, and then Add Partition to finalize.

Initialize Crypto User: Click Initialize Crypto User to set up a Crypto User. Enter the Crypto Officer and Crypto User passwords, then click Initialize to enable cryptographic operations.

Delete Partition: As a CCC administrator, you can remove a partition from an HA group to free up memory or repurpose partitions. Before deletion, ensure necessary key material is cloned. To delete a partition:
1. Hover over the partition and click Delete Partition (next to the Device Firmware column).
2. Authenticate as the HSM Security Officer.
3. Click Delete Partition to complete the removal.
Keys Displays key attributes:
- Label: Identifier or name associated with the key.
- Type: Category of the key.
- Handle: Unique identifier assigned within the system.
- Fingerprint: Cryptographic hash representing the key's contents.
- Algorithm: Cryptographic algorithm used.
- Bit Size: Length of the key in bits, indicating its strength.

note

Note

To view key attributes on a partition, disable the ipcheck property of NTLS on the HSM using ntls ipcheck disable.

note

Note

Disabling ipcheck bypasses IP verification, posing security risks. Ensure adequate security measures before proceeding.

Authentication:
- To access the Keys tab, enter the Crypto Officer password (generated during service creation) and click Authenticate.
- This process may take time as it establishes an NTLS connection between the Luna Network HSM and partitions.
- For PED services: Provide a Remote PED Server IP Address and Remote PED Port, along with the Crypto Officer password—unless the Crypto Officer role was activated during service creation.

Log Off Session:
- Click Log Off Session to manually terminate an NTLS session between the HSM and partitions.
- If an NTLS session remains idle for 3 hours, the system automatically ends it to enhance security.

Best Practices:
- Avoid using the CCC server to establish an NTLS connection via LunaCM or LunaSH, as this can cause errors in key attribute retrieval.
- Instead, use the CCC Client to establish an NTLS connection for smoother functionality.
- In an HA service, CCC synchronizes objects across all member partitions, ensuring consistency.
- Avoid importing the CCC ROT partition as a service, as this may disrupt its NTLS connection with the CCC server.

View Key Material:
Watch this video for a demonstration on viewing key material within a service:

View Key Material
Clients Displays details about Luna HSM client workstations associated with the service:

- Status: Indicates whether the client workstations are active or encountering errors.
- Host Address: Shows the network address of each client workstation.
- Fingerprint: Provides a unique identifier for each client workstation.
- Last Registration: Displays the timestamp of the last client registration with the service.
note

Note

When a partition is added, removed, or reinitialized within a service, existing client associations may display an error status. This indicates that the clients need to be re-registered to synchronize with the updated service configuration.

copy link to clipboardRemove a service

Within CCC, you have the option to detach or delete a service. Detaching a service removes it from CCC but does not impact the associated partition(s) or the objects within them. Deleting a service, on the other hand, removes it from CCC and also deletes the partition(s) and any objects contained within them. Typically, services are deleted by the Application Owner. To detach or delete a service:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Services. This action will bring up a page displaying basic details of all existing services.

3Locate the service you wish to remove, then hover over it and click the Remove button. You will then be prompted to choose between detaching or deleting the service. Select the appropriate option based on your needs.

4Confirm your action when prompted. The selected service will then be either detached or deleted, depending on your choice.


copy link to clipboard Add, modify, copy, and delete service templates

Below are the procedures for adding, modifying, and copying service templates on CCC.


copy link to clipboardAdd a service template

To add a service template:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.

3At the top right corner of the page, you'll find a Add Service Template button. Click on it to start the process of adding a new service template.

4In the Create Service Template wizard, proceed to populate the essential fields across multiple tabs according to the subsequent instructions.

5Enter the following information in the General tab:


Parameter Description
Template Name Enter a name for the template you wish to create. This name helps in identifying and distinguishing the template, making it easier to manage and reference.
Description Optionally, provide a brief overview of the template. This can offer valuable context for users or administrators managing the template.

6Enter the following information in the Set Capabilities tab:


Parameter Description
Service Type Choose the type of service to create:
- HSM Partition: Establishes an independent service on a single device.
- HSM Partition HA Group: Configures a High Availability (HA) group across multiple devices for enhanced redundancy and performance.
Device Capabilities Define the capabilities of the selected Luna Network HSM device to match operational needs. An HA group can include devices with varying performance levels, such as Standard, Enterprise, and Maximum, allowing flexible combinations within the group.
HSM Model Select the Luna Network HSM device that will be used for generating the template.
Partition Settings - Partition Size (bytes): Specifies the size of the partition allocated for services.

- Per-Partition SO: Assigns a dedicated Security Officer (SO) to each service created from this template. This feature requires firmware 6.22 or higher and the Per-Partition SO capability upgrade (CUF). For devices running firmware 7.x, this feature is mandatory and enabled by default.

- Secure Trusted Channel (STC): Enables Secure Trusted Channel (STC) for communication between services created from this template and Application Owner clients. This option replaces the standard NTLS connection and requires:
- Software version 6.2.1 or higher
- Firmware version 6.24.2 or higher
- STC HSM policy enabled
note

Note

CCC no longer supports STC with Luna Network HSM. STC-based partition creation is unavailable for Luna Network HSM 7 (firmware 7.7.0 and above).

- Scalable Key Storage (SKS): If using Thales Luna Network HSM 7 (Firmware 7.7.0 and above), enable this option to create a V1-type partition. Leave the checkbox unchecked to create a V0-type partition.

7Review the details of your service template using the Summary tab. If any information needs modification, click Go Back to make the necessary adjustments. Once everything is accurate, click Finish to finalize the creation of your template. A confirmation pop-up will appear, signaling the successful creation of your service template. You'll then have the option to create a service using this template immediately by clicking Yes, Create Service, or you can choose to close and create a service later. If you opt to create the service now, you'll be directed to the Create Service wizard, as outlined in the Create a Service section.

copy link to clipboardModify a service template

To modify a service:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.

3Click on the service template that requires modification. This action will reveal the template-related details located towards the bottom of the page.

4Access and adjust the details associated with the service template by navigating to the appropriate tab.

5Within the General tab, review and update the following details:


Parameter Description
Template Name Assign a descriptive name to the template for easy identification and management.
Description Optionally, provide a brief overview to offer context for users or administrators managing the template.

6Within the Capabilities tab, review and update the following details:


Parameter Description
HSM Model Select the Luna Network HSM device to be used for generating the template.
Device Capabilities Define the capabilities of the selected Luna Network HSM device to ensure compatibility with operational needs.
Service Type Choose one of the following service types:
- HSM Partition: Creates an independent service on a single device.
- HSM Partition HA Group: Configures a High Availability (HA) group across multiple devices.
Partition Settings - Partition Size (bytes): Specifies the size of the partition allocated for services.

- Per-Partition SO: Assigns a unique Security Officer (SO) to each service created from this template. This feature requires firmware 6.22 or higher and the Per-Partition SO capability upgrade (CUF). For devices running firmware 7.x, this feature is mandatory and enabled by default.

- Secure Trusted Channel (STC): Enables services created from this template to establish connections with Application Owner clients using STC instead of NTLS. The device must meet the following STC requirements:
- Software version 6.2.1 or higher
- Firmware version 6.24.2 or higher
- STC HSM policy enabled
note

Note

CCC no longer supports STC with Luna Network HSM. The option to create partitions using STC is unavailable for Luna Network HSM 7 (firmware 7.7.0 and above).

- Scalable Key Storage (SKS): If using Thales Luna Network HSM 7 (Firmware 7.7.0 and above), enable this option to create a V1-type partition. Leave the checkbox unchecked to create a V0-type partition.

7After making the desired modifications, click the Save button to ensure that your changes are applied and saved.

copy link to clipboardCopy a service template

To copy a service template:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.

3Hover over the service template that you want to copy, and then click the Copy button. Doing so will bring up the Create Service Template wizard, with the fields pre-filled with the values from the copied service template.

4Complete the wizard, as described in the Add a service template section.

copy link to clipboardDelete a service template

To delete a service template:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Service Templates. This action will bring up a page displaying basic details of all existing service templates.

3Locate the template you wish to delete, then hover over it and click the Delete button.

4Confirm your action when prompted. The selected template will then be deleted.


copy link to clipboard Import Partitions

To import a partition:

1Click on the Crypto Services tab located in the menu bar at the top of the screen.

2In the left-hand navigation pane, select Import Partitions. This action will bring up the Import Partitions page.

3Click on the Get Started button. This action will prompt the display of a list of HSM devices containing unmanaged partitions. Unmanaged partitions are those that have not yet been associated with a service, making them available for import into CCC.

note

Note

Devices that are offline or unauthorized will not be listed.

4Check the box located next to the name of the device to indicate which device or devices you want to scan for available partitions.

note

Note

You have the flexibility to select multiple devices or choose all devices, depending on your needs.

5After selecting the desired devices, click the Find Partitions button. Please note that the discovery process may take some time to finish, especially if there are many devices to query. Once the discovery process is complete, a table will be presented listing all the discovered partitions along with their respective details.

note

Note

If you attempt to import more partitions than your CCC license permits, you'll receive a popup notification indicating that you've exceeded the partition limit. To proceed with the import, you'll need to adjust the number of partitions you want to import so that it equals or is fewer than the number of partitions allowed by your CCC license.

note

Note

If you are importing a partition that has both STC and PPSO policies enabled, you won't be able to use certain features of CCC. This restriction exists because CCC doesn't have the necessary permissions to securely interact STC connection that is already established within the partition being imported.

note

Note

While CCC tries to identify the partitions based on their service type (either standalone or part of a partition HA group), it's advisable to review the information displayed in the table and confirm its accuracy, particularly for HA groups.

6Use the Remove button located at the far right of each partition row to delete any partitions that you do not wish to import. You have the option to either import all of the discovered partitions or remove specific partitions from the list before proceeding with the import process. When you import a partition or HA group into CCC, you need to:


  • Provide a name for the HA group, if the partitions you are importing belong to an HA Group.

  • Provide a name for the service.

  • Optionally, include a description for the service.

  • Select the organization that will own the service.

note

Note

Any changes you make to the table, such as adding, removing, or modifying partitions, will be automatically saved. These changes will remain in effect even if you log out of your session and log back in later.

note

Note

If you're importing an HA group, it's essential to verify the correct HA Group Label associated with it. You can do this by logging in to any client that uses the HA group and using the command vtl haAdmin show to retrieve the actual HA Group Label. Once you have the correct label, you should delete the default label (HA_n) and replace it with the actual one to ensure accurate identification and management of the HA group within the CCC system.

7After you have completed importing partitions and made any necessary adjustments, you should click the Finish Import button. Doing so will finalize the import process. Upon successful completion, you will receive a message confirming the success of the import operation. Subsequently, the newly imported partitions will be visible on the Services page.

copy link to clipboardMigrate services

CCC enables you to migrate or transfer key objects between services. Explore comprehensive guidance in the following sections:


copy link to clipboardIdentify compatible devices

CCC facilitates service migration between the following devices:

Source Device Destination Device
7.x PED 7.x PED
7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue) 7.x Password (For SAs below 7.7, apply the REST patch that fixed the domain issue)
note

Note

Migration cannot be performed if the source firmware version is 7.7.x and the target firmware version is 7.4 or lower.

note

Note

Migration cannot be performd if the source firmware is FM-ready or FM-not-ready, and the target firmware is FM-disabled or FM-enabled.


copy link to clipboardFollow migration steps

To migrate a service, follow these steps:

note

Note

The duration of the service migration process varies based on the number of objects and devices involved. During this period, other CCC functions will be inaccessible.

note

Note

For Non PPSO PED service migration, ensure that the source partition is activated and that the default challenge is not set.

note

Note

If the selected source service is an HA service, migration will be conducted solely from its first partition.

note

Note

If there is an insufficient number of partition licenses available, the Migrate Service button will remain disabled.

note

Note

It's advisable to create a backup of the source partitions before initiating the data migration process.

note

Note

When upgrading from an older version of CCC and creating an HA service using an existing partition, manually resetting the password is necessary to ensure that the new password comprises at least 8 characters.

1Disable the ipcheck property of NTLS on the HSM by executing the following command:

ntls ipcheck disable

2Add the source device, which requires migration, along with all target devices intended for migration, to CCC.

3Ensure that the service slated for migration is either already present in CCC or create a new service for migration.

note

Note

The service will only appear for selection if the source HSM has cloning capability and is initialized.

4Click on the Crypto Services tab located in the menu bar at the top of the screen.

5In the left-hand navigation pane, select Migrate Service. This action will bring up the Migrate Service page.

6Initiate the service migration process by clicking the Migrate Service button. Follow the prompts in the Migrate Service wizard that appears.

7In the Select Service tab of the wizard, select the service that you wish to migrate and proceed by clicking Next.

note

Note

If selected service is an HA service, it’s first partition is considered as primary partition.

8In the New Service tab, provide the necessary details, such as the New Service Name, Organization, HSM Model, Partition Size, and Description (optional). Click Next when all the details are entered.

9Proceed to the Select Devices tab and choose the device(s) intended to provide the new service. Click Next when you are done.

10In the Define Partition tab, enter the partition label and cloning domain (in case of password authenticated devices). Click Next once completed.

note

Note

During the initialization of new service partitions in the migration process, it's crucial to use the same cloning domain and role credentials as the service chosen for migration. This ensures consistency and compatibility between the original service and the migrated partitions.

11Navigate to the Initialize Roles tab and enter the passwords for Security Officer, Crypto Officer, and, if applicable, Crypto User. For PED authenticated devices, provide the remote PED server IP address, remote PED server port, and Crypto Officer password.

12Use the Summary tab to review and validate all entered details. Once confirmed, proceed by clicking the Migrate Service button. Wait for the completion of the service migration process. Please be patient as the duration may vary depending on the number of objects and devices involved. Upon successful migration, a confirmation message will be displayed.

copy link to clipboardView migration video

Below is a video presentation illustrating the effective utilization of CCC's service migration functionalities:


copy link to clipboardTroubleshoot migration issues

Error Message Solution
Failed to create a new service for a device. Manually import partitions into CCC using the import partition feature. You can import them either as a standalone service or as part of an HA group service.
Failed to migrate key material to a device. To include a device where migration has failed, utilize the add partition feature for the newly created service. Then, authorize the service using the ccc_client tool. During the authorization process, CCC conducts synchronization across all partitions of the service.

On this page